International Reactions to Google’s New Privacy Policy

Google’s new privacy policy took effect last Thursday, following several weeks campaigning to educate users on the changes. The policy will allow them to consolidate users’ data across all of its services and platforms, in a move they claim will both improve user experience and make their policy “easier to understand.” The international privacy community, however, is having none of it. Lawmakers, privacy authorities, technical experts, and privacy organizations around the world are releasing public statements and direct letters to Google representatives that are critical of the new policy. Advocacy groups criticize and condemn the changes, and the European Union, Japanese, and Canadian privacy authorities have released statements indicating that the new policy may violate their domestic privacy laws. Google meanwhile, seems to be ignoring the global outcry, dismissing criticism as “chatter and confusion.”

The opposition to Google’s changes expresses several points of concern. The privacy commissioner of Canada, Jennifer Stoddart concisely described the specific concerns. First, it will share users’ data across its more than 60 services, including all Google applications, subsidiary websites such as Youtube, and Android phones. Additionally, the consolidation of all of the previous service-specific plans makes it hard to tell what data will be retained, for how long, and what Google plans to do with the data that they collect on their users. This is significantly worrying for Android users whose device information, log information, and locational information can now all feasibly be collected. It is clear that this data integration will significantly facilitate their ability to personalize their services to their users. What is not clear are all the new unforeseeable ways the company plans to use this data.

Criticism has been aimed at Google for being vague about the changes as well as failing to consult privacy advocates about the new policy. Despite their efforts to educate their users on how they would be impacted, Google’s early explanations were not specific was substantively changing in the new policy. In fact, it took a letter from eight Congressional representatives to get them to provide straight-forward answers. The criticism levied from various entities in reaction vary from polite expressions of concern to curt demands to halt the plan altogether.

The French Data Protection Agency, on behalf of European privacy authorities, warned that Google's proposed change violates European Union privacy law [pdf]. In a letter to Google CEO Larry Page, the French agency criticized the company for not well informing data protection authorities in the EU, despite claiming to have “extensively pre-briefed” them. The official also criticizes the policy itself:

The CNIL and the EU data protection authorities are deeply concerned about the combination of personal data across services: they have strong doubts about the lawfulness and fairness of such processing, and about its compliance with the European Data Protection legislation…

If the new policy does indeed violate the European Directive on Data Protection, Google will face a big challenge in Europe.

The Australian Privacy Foundation (APF) had made efforts to compel state agencies to take action in light of the Foundation’s policy statement outlining specific critiques of the changes. Shortly after Google announced the new policy, APF sent a letter [pdf] to the Australian consumer protection agency to investigate the changes in order “to assert relevant laws and communicate to Google the serious public policy concerns.” The consumer protection agency has yet to respond.

The APF also sent a similar letter [pdf] to the Office of the Australian Information Commissioner with their policy statement attached. Timothy Pilgrim, the Australian Privacy Commissioner, responded a month later, roughly 36 hours left before Google's notice-period would expire. The letter is less critical of than the APF’s original critique.

The Japanese government’s Ministry of Internal Affairs and Communications together with the Ministry of Economy, Trade and Industry also released a statement to Google before the new policy, that it must respect privacy laws and regulations. The letter came out of concerns that the new policy could lead to violations of personal data protections laws in Japan. It asked the company to provide clearer explanations of the new rules and allow users to ask questions about the policy even after it has been initiated.

Despite the criticisms, Google’s official blog continued to defend its new policy, emphasizing that they made the changes to benefit the users:

We continue to look for ways to make it simpler for you to understand and control how we use the information you entrust to us. We build Google for you, and we think these changes will make our services even better.

But consumer groups disagree. The Transatlantic Consumer Dialogue, a coalition of consumer organizations in North America and Europe, urged [pdf] Google CEO Larry Page to drop the new policy changes:

Consumers in Europe, Canada, and Mexico have had the benefit of privacy law and privacy agencies. Consumers in the United States rely on a patchwork structure, including the US Federal Trade Commission, to protect their interests. And Internet users around the world rely on the integrity of your company, and on you, to do the right thing. Their eyes are all on you…

…Going forward with this plan will be a mistake. We ask you to reconsider.

~

Before the policy took effect March 1st, EFF published two tutorials for users on how to delete their viewing and history on Youtube and Google Web History.

Related Updates

There’s a new, proposed backdoor to our data, which would bypass our Fourth Amendment protections to communications privacy. It is built into a dangerous bill called the CLOUD Act, which would allow police at home and abroad to seize cross-border data without following the privacy rules where the data is...

EFF and 23 other civil liberties organizations sent a letter to Congress urging Members and Senators to oppose the CLOUD Act and any efforts to attach it to other legislation. The CLOUD Act (S. 2383 and H.R. 4943) is a dangerous bill that would tear away global privacy...

People in marginalized communities who are targets of persecution and violence—from the Rohingya in Burma to Native Americans in North Dakota—are using social media to tell their stories, but finding that their voices are being silenced online. This is the tragic and unjust consequence of content moderation policies...

The Supreme Court of India has commenced final hearings in the long-standing challenge to India's massive biometric identity apparatus, Aadhaar. Following last August’s ruling in the Puttaswamy case rejecting the Attorney General's contention that privacy was not a fundamental right, a five-judge bench is now weighing in on...

Although we have been opposing Europe's misguided link tax and upload filtering proposals ever since they first surfaced in 2016, the proposals haven't been standing still during all that time. In the back and forth between a multiplicity of different Committees of the European Parliament, and two other institutions...

This week, Senators Hatch, Graham, Coons, and Whitehouse introduced a bill that diminishes the data privacy of people around the world.
The Clarifying Overseas Use of Data (CLOUD) Act expands American and foreign law enforcement’s ability to target and access people’s data across international borders in two ways. First...

EFF fights for technology users. We believe that empowering and protecting users should be baked into laws, policies, and court decisions, as well as into the technologies themselves. Since our founding in 1990, we have paired this goal with the common-sense recognition that in order to properly consider these questions...

Last week EFF attended the Global Conference on Cyberspace (GCCS) in New Delhi, India, as one of a small handful of nonprofit organizations invited to participate. This was the fifth in a series of conferences sometimes called the London Process, after the first event that was held in London...

Last week the European Parliament passed a new Consumer Protection Regulation [PDF] that allows national consumer authorities to order ISPs, web hosts and domain registries to block or delete websites... all without a court order. The websites targeted are those that allegedly infringe European consumer law. But European consumer...

The global movement for open access to publicly-funded research stems from the sensible proposition that if the government has used taxpayers' money to fund research, the publication of the results of that research should be freely-licensed. Exactly the same rationale underpins the argument that software code that the government...